[kirkstone,05/14] ffmpeg: fix CVE-2023-51798

Message ID	b6c00d2c64036b2b851cdbb3b6efd60bc839fa5b.1732733274.git.steve@sakoman.com
State	RFC
Delegated to:	Steve Sakoman
Headers	show Return-Path: <steve@sakoman.com> ip: 209.85.210.179, mailfrom: steve@sakoman.com) From: Steve Sakoman <steve@sakoman.com> To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 05/14] ffmpeg: fix CVE-2023-51798 Date: Wed, 27 Nov 2024 10:49:58 -0800 Message-Id: <b6c00d2c64036b2b851cdbb3b6efd60bc839fa5b.1732733274.git.steve@sakoman.com> In-Reply-To: <cover.1732733274.git.steve@sakoman.com> References: <cover.1732733274.git.steve@sakoman.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[kirkstone,01/14] python3-pip: fix CVE-2023-5752 \| expand [kirkstone,01/14] python3-pip: fix CVE-2023-5752 [kirkstone,02/14] builder: set CVE_PRODUCT [kirkstone,03/14] coreutils: fix CVE-2024-0684 [kirkstone,04/14] libsndfile: fix CVE-2024-50612 [kirkstone,05/14] ffmpeg: fix CVE-2023-51798 [kirkstone,06/14] ffmpeg: fix CVE-2023-47342 [kirkstone,07/14] ffmpeg: fix CVE-2023-50007 [kirkstone,08/14] ffmpeg: fix CVE-2023-51796 [kirkstone,09/14] ffmpeg: fix CVE-2024-7055 [kirkstone,10/14] tzdata&tzcode-native: upgrade 2024a -> 2024b [kirkstone,11/14] package_rpm: use zstd's default compression level [kirkstone,12/14] package_rpm: restrict rpm to 4 threads [kirkstone,13/14] ninja: fix build with python 3.13 [kirkstone,14/14] gstreamer1.0: improve test reliability

Message ID

b6c00d2c64036b2b851cdbb3b6efd60bc839fa5b.1732733274.git.steve@sakoman.com

State

RFC

Delegated to:

Steve Sakoman

Headers

From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][kirkstone 05/14] ffmpeg: fix CVE-2023-51798
Date: Wed, 27 Nov 2024 10:49:58 -0800
Message-Id: 
 <b6c00d2c64036b2b851cdbb3b6efd60bc839fa5b.1732733274.git.steve@sakoman.com>
In-Reply-To: <cover.1732733274.git.steve@sakoman.com>
References: <cover.1732733274.git.steve@sakoman.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

[kirkstone,01/14] python3-pip: fix CVE-2023-5752 | expand

Commit Message

Steve Sakoman Nov. 27, 2024, 6:49 p.m. UTC

From: Archana Polampalli <archana.polampalli@windriver.com>

Buffer Overflow vulnerability in Ffmpeg v.N113007-g8d24a28d06 allows a local attacker
to execute arbitrary code via a floating point exception (FPE) error at
libavfilter/vf_minterpolate.c:1078:60 in interpolate.

Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../ffmpeg/ffmpeg/CVE-2023-51798.patch        | 45 +++++++++++++++++++
 .../recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb |  1 +
 2 files changed, 46 insertions(+)
 create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2023-51798.patch

diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2023-51798.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2023-51798.patch
new file mode 100644
index 0000000000..6250486c05
--- /dev/null
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2023-51798.patch
@@ -0,0 +1,45 @@ 
+From c9e6162554cc7d04a56e2edd1f6f1479c6f8b62f Mon Sep 17 00:00:00 2001
+From: Michael Niedermayer <michael@niedermayer.cc>
+Date: Sat, 30 Dec 2023 02:51:32 +0100
+Subject: [PATCH] avfilter/vf_minterpolate: Check pts before division
+
+Fixes: FPE
+Fixes: tickets/10758/poc20ffmpeg
+
+Discovered by Zeng Yunxiang
+
+Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
+(cherry picked from commit 68146f06f852078866b3ef1564556e3a272920c7)
+Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
+
+CVE: CVE-2023-51798
+
+Upstream-Status: Backport [https://github.com/FFmpeg/FFmpeg/commit/c9e6162554cc7d04a56e2edd1f6f1479c6f8b62f]
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ libavfilter/vf_minterpolate.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/libavfilter/vf_minterpolate.c b/libavfilter/vf_minterpolate.c
+index 97d0e96..9296e67 100644
+--- a/libavfilter/vf_minterpolate.c
++++ b/libavfilter/vf_minterpolate.c
+@@ -1078,8 +1078,13 @@ static void interpolate(AVFilterLink *inlink, AVFrame *avf_out)
+     pts = av_rescale(avf_out->pts, (int64_t) ALPHA_MAX * outlink->time_base.num * inlink->time_base.den,
+                                    (int64_t)             outlink->time_base.den * inlink->time_base.num);
+
+-    alpha = (pts - mi_ctx->frames[1].avf->pts * ALPHA_MAX) / (mi_ctx->frames[2].avf->pts - mi_ctx->frames[1].avf->pts);
+-    alpha = av_clip(alpha, 0, ALPHA_MAX);
++    if (mi_ctx->frames[2].avf->pts > mi_ctx->frames[1].avf->pts) {
++        alpha = (pts - mi_ctx->frames[1].avf->pts * ALPHA_MAX) / (mi_ctx->frames[2].avf->pts - mi_ctx->frames[1].avf->pts);
++        alpha = av_clip(alpha, 0, ALPHA_MAX);
++    } else {
++        av_log(ctx, AV_LOG_DEBUG, "duplicate input PTS detected\n");
++        alpha = 0;
++    }
+
+     if (alpha == 0 || alpha == ALPHA_MAX) {
+         av_frame_copy(avf_out, alpha ? mi_ctx->frames[2].avf : mi_ctx->frames[1].avf);
+--
+2.40.0
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb
index 80a4e5b96f..b8bd77972b 100644
--- a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb
@@ -35,6 +35,7 @@  SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \
            file://CVE-2024-31582.patch \
            file://CVE-2024-31578.patch \
            file://CVE-2023-51794.patch \
+           file://CVE-2023-51798.patch \
           "
 
 SRC_URI[sha256sum] = "ef2efae259ce80a240de48ec85ecb062cecca26e4352ffb3fda562c21a93007b"

[kirkstone,05/14] ffmpeg: fix CVE-2023-51798

Commit Message

Patch